Wireguard suddenly stopped working

Was working for a week or so and now cannot get a handshake with any device.
I synced the time with NTP and then with browser and both failed to fix the issue after reboot.

Only change I can think I made was downloading the luci-app-wol, but the vpn may have failed prior to this. I deleted the software now.

I went over the config files and don't notice any real difference from my previous ones which was working.
Any help please?

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'f4434'

config device
	option name 'br-lan'
	option type 'bridge'
	option acceptlocal '1'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4 5'
	option vid '30'
	option description 'NVR'

config device
	option type 'bridge'
	option name 'br-NVR'
	list ports 'eth1.30'

config interface 'NVR'
	option proto 'static'
	option device 'br-NVR'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-GUEST'
	list ports 'eth1.10'

config device
	option type 'bridge'
	option name 'br-IOT'
	list ports 'eth1.20'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '123'
	option private_key '123'
	list addresses '192.168.9.1/24'

config wireguard_vpn
	option description '50'
	option public_key '123'
	option private_key '123'
	option preshared_key '123'
	option route_allowed_ips '1'
	option endpoint_port '123'
	list allowed_ips '192.168.9.2/32'

config interface 'vpns2'
	option proto 'wireguard'
	option private_key '123'
	option listen_port '123'
	list addresses '192.168.9.3/24'

config wireguard_vpns2
	option description 's2'
	option public_key '123'
	option private_key '123'
	option preshared_key '123'
	option route_allowed_ips '1'
	option endpoint_port '123'
	list allowed_ips '192.168.9.4/32'

config interface 'vpnair'
	option proto 'wireguard'
	option private_key '123'
	option listen_port '123'
	list addresses '192.168.9.10/24'

config wireguard_vpnair
	option description 'iphon'
	option public_key '123'
	option private_key '123'
	list allowed_ips '192.168.9.200/32'
	option route_allowed_ips '1'
	option endpoint_port '123'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t'
	option vid '20'
	option description 'USER'

config device
	option type 'bridge'
	option name 'br-USER'
	list ports 'eth1.20'

config interface 'USER'
	option proto 'static'
	option device 'br-USER'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'GUEST'
	option proto 'static'
	option device 'br-GUEST'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t'
	option vid '10'
	option description 'GUEST'

config wireguard_vpn
	option description 's7'
	option public_key '123
	option private_key '123'
	option preshared_key '123'
	list allowed_ips '192.168.9.5/32'
	option route_allowed_ips '1'
	option endpoint_port '123'
	option persistent_keepalive '25'

config wireguard_vpns2
	option description 'pad'
	option public_key '123'
	option private_key '123'
	option preshared_key '123'
	option endpoint_port '123'
	list allowed_ips '192.168.9.6/32'

config wireguard_vpnair
	option description 'm2'
	option public_key '123'
	option private_key '123'
	option preshared_key '123'
	list allowed_ips '192.168.9.11/32'
	option route_allowed_ips '1'
	option endpoint_port '123'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpns2'
	list network 'vpnair'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '618'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '151'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '520'
	option proto 'udp'
	option target 'ACCEPT'

config rule

config zone
	option name 'NVRZONE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'NVR'

config forwarding
	option src 'lan'
	option dest 'NVRZONE'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	list proto 'udp'

config rule

config rule
	option name 'Allow-HikNVR'
	option src 'lan'
	option dest_port '13'
	option target 'ACCEPT'

config zone
	option name 'USERZONE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'USER'

config forwarding
	option src 'lan'
	option dest 'USERZONE'

config forwarding
	option src 'USERZONE'
	option dest 'wan'

config zone
	option name 'GuestZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST'

config forwarding
	option src 'GuestZONE'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'GuestZONE'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'NVR'
	option interface 'NVR'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'J1P-3'
	option ip '192.168.1.228'
	option mac '123'

config host
	option name '2t'
	option ip '192.168.30.228'
	option mac '123'

config dhcp 'USER'
	option interface 'USER'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'

Switch out the port #s but they are all matching with my devices.
Not sure if the answer is here but just noting that the devices were all setup and working; I have not edited any of them since they worked. So is this not a wireguard/openwrt issue? sigh.

s7 device:

interface:
address 192.168.9.5/32
DNS 192.168.1.1
listen port 123

Peer:
allowed ip 0.0.0.0/0, ::/0
endpoint PUBLIC IP:123

Delete the vpns2 interface and all of its peers... or change the addresses. it overlaps your vpn interface's subnet, causing a conflict.

Same with vpnair:

What is the point of all of these different wireguard interfaces?

1 Like

I was testing out adding multiple peers and it seemed to be working.

Deleted those two and rebooted and the device linked with 'vpn' gets no handshake.

Let's see the latest network and firewall files.

wait I just sent a new QR code to my phone and got a handshake. I didn't change any setting? does this occur?

maybe something was wrong with the way your phone had been configured.

Sounds like it is working now??

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

psherman thanks for helping me so quick, needed this active tonight as I'm leaving the server.

I am scared this will occur once I'm away though to be honest.

If I may quickly ask, if I want to add 4-5 peer devices, it is fine to use the same interface for all at the same time? That was the reason I used multiple interfaces because some threads seemed to suggest it but I may have misinterpreted.

Yes. Each additional peer must have its own keypair and a unique /32 address on the same subnet as the interface, but otherwise absolutely. I have many peers defined, no problems at all.

1 Like

my other device on the 'vpn' interface also does not handshake from the saved tunnel. When I make a new tunnel it works. Perhaps deleting the other interfaces cleared something up in the works that I will never be able to comprehend. Thank you for this and for the VLAN help. can check NVR when away hopefully!

You need to restart the wiregard interface (or the whole router) after you add/edit/remove peers. That may be the problem you are encountering.

1 Like

I figured it out actually. From looking at another device the public IP changed. The ISP changed the IP... which will be a problem for me.

Don't have a quick fix for this one eh?

use a dynamic dns service to solve that problem.

1 Like

ok Ill do some quick reading

for any future readers:
https://openwrt.org/docs/guide-user/services/ddns/client

think I got ddns up and running with no-ip

wow what a rabbit hole all this stuff is. cheers

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.